b'August 2006\nReport No. 06-016\n\n\nControls Over the Disposal of Sensitive\nFDIC Information by Iron Mountain, Inc.\n\n\n\n               AUDIT REPORT\n\n       This Report Contains Confidential\n                  Information\n             For Official Use Only\n             Restricted Distribution\n\x0c                                                                                                        Report No. 06-016\n                                                                                                        August 2006\n\n                                          Controls Over the Disposal of Sensitive FDIC\n                                          Information by Iron Mountain, Inc.\n                                          Results of Audit\n                                          The FDIC established a number of key controls to ensure the secure disposal of\nBackground and                            sensitive information by Iron Mountain. Such controls include a corporate policy\nPurpose of Audit                          on records disposal; policies and procedures related to contractor integrity, fitness,\n                                          and background investigations; and contractual requirements governing the\nIn carrying out its mission, the\n                                          destruction of information. In addition, no instances of unauthorized disclosure or\nFDIC creates and acquires a\n                                          use of sensitive FDIC information came to our attention during the audit. However,\nsignificant amount of sensitive\n                                          as reflected in the table below, the FDIC needed to improve its oversight of the Iron\ninformation. Much of this\n                                          Mountain contract to ensure that controls designed to safeguard the disposal of\ninformation is required to be\n                                          sensitive information were effectively implemented. We also identified certain\nprotected by federal statutes and\n                                          other matters relating to subcontractor costs and agreements and the identification of\nregulations. It is, therefore, critical\n                                          FDIC\xe2\x80\x99s records management contractors that warrant management attention.\nthat the FDIC implement\nappropriate controls when\ndisposing of sensitive information         Controls for Safeguarding the Disposal      Establishment     Implementation\nto prevent an unauthorized                       of Sensitive Information               of Control         of Control\ndisclosure that could lead to\n                                           Independent Audits and Trade                   Needs               Needs\npotential legal liability or public\n                                           Certifications                              Improvement         Improvement\nembarrassment.\n                                                                                                 *\n                                           Integrity, Fitness, and Custody of               \xe2\x88\x9a                 Needs\nThe FDIC\xe2\x80\x99s Division of                     Sensitive Information                                           Improvement\nAdministration (DOA) has overall\nresponsibility for the FDIC\xe2\x80\x99s                                                                \xe2\x88\x9a                Needs\nrecords management program,                Background Investigations                                       Improvement\nincluding the disposition of official\nhardcopy and electronic records no                                                                            Needs\n                                           Authorization of Contractor Personnel             \xe2\x88\x9a\nlonger needed to conduct business.                                                                         Improvement\nIn 2000, DOA awarded a contract\nto Iron Mountain, Inc.\xc2\xae (Iron              Supervision of Records and Media                  \xe2\x88\x9a                Needs\n                                           Destruction                                                     Improvement\nMountain) for nationwide records\nmanagement services, including                                                               \xe2\x88\x9a                Needs\nthe disposal of sensitive FDIC             Certificates of Destruction\n                                                                                                           Improvement\nrecords. The FDIC\xe2\x80\x99s headquarters\noffices disposed of approximately          On-site Inspections of Disposal                   \xe2\x88\x9a                Needs\n168,000 pounds of sensitive and            Operations                                                      Improvement\nnon-sensitive records from July           * Indicates that the control is in place.\n2005 through February 2006,\nprimarily due to consolidation of         Recommendations and Management Response\nheadquarters office space.\nThe objective of the audit was to         We recommended that the Director, DOA:\ndetermine whether the FDIC has            \xe2\x80\xa2 Consider the results of independent operational audits and recognized trade\nadequate controls for ensuring the           association certifications before approving disposal firms.\nsecure disposal of sensitive              \xe2\x80\xa2 Require all firms providing records disposal services on behalf of the FDIC to\ninformation by Iron Mountain. The            comply with FDIC acquisition policies and procedures.\naudit focused on the disposal of          \xe2\x80\xa2 Establish clear expectations regarding contractor and subcontractor oversight\ninformation contained in shredder            for contracted records management services.\nbins and consoles provided by Iron        \xe2\x80\xa2 Perform periodic site inspections of firms providing records disposal services.\nMountain for the FDIC\xe2\x80\x99s                   \xe2\x80\xa2 Ensure that subcontractor invoices and agreements are consistent with FDIC\nheadquarters offices.                        policy and the Iron Mountain contract.\n                                          \xe2\x80\xa2 Identify all firms providing records management services for the FDIC.\n\n                                          DOA management\xe2\x80\x99s comments and planned actions were responsive to the\n                                          recommendations.\n\x0c'